From owner-freebsd-net@FreeBSD.ORG  Sun Aug 29 19:35:05 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 53EFB10656B8
	for <net@freebsd.org>; Sun, 29 Aug 2010 19:35:05 +0000 (UTC)
	(envelope-from volker@vwsoft.com)
Received: from Mail.elbekies.net (mail.elbekies.net [217.6.211.146])
	by mx1.freebsd.org (Postfix) with ESMTP id B92AD8FC19
	for <net@freebsd.org>; Sun, 29 Aug 2010 19:35:04 +0000 (UTC)
Received: from bel.soho.vwsoft.com (p57A0DC1B.dip.t-dialin.net [87.160.220.27])
	by Mail.elbekies.net (Postfix) with ESMTPA id DF9FD2E05A;
	Sun, 29 Aug 2010 21:09:56 +0200 (CEST)
Received: from [192.168.16.4] (dardanos.sz.vwsoft.com [192.168.16.4])
	by bel.soho.vwsoft.com (Postfix) with ESMTP id C42E033C7E;
	Sun, 29 Aug 2010 21:08:08 +0200 (CEST)
Message-ID: <4C7AB073.2040802@vwsoft.com>
Date: Sun, 29 Aug 2010 21:09:39 +0200
From: volker@vwsoft.com
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.9.1.11) Gecko/20100811 Thunderbird/3.0.6
MIME-Version: 1.0
To: =?ISO-8859-1?Q?=D6zkan_KIRIK?= <ozkan.kirik@gmail.com>
References: <AANLkTinQ3=6eqOLBzJF18dHb=-oEu-G6AmSG9C7TqwKW@mail.gmail.com>
In-Reply-To: <AANLkTinQ3=6eqOLBzJF18dHb=-oEu-G6AmSG9C7TqwKW@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-VWSoft-MailScanner: Found to be clean
X-MailScanner-ID: DF9FD2E05A.ABA9E
X-Elbekies-MailScanner: Found to be clean
X-MailScanner-From: volker@vwsoft.com
MailScanner-NULL-Check: 1283713805.72968@dLuZxfgrI0lvXxijBrLa2Q
Cc: net@freebsd.org
Subject: Re: Default router changes unexpectedly
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Aug 2010 19:35:05 -0000

On 08/29/10 19:50, Özkan KIRIK wrote:
> Hi,
>
> I am using FreeBSD 7.3 STABLE-201004. IPFW + In kernel NAT and if_vlan
> used mostly.
> System has 3 em interfaces. Scenario is classical, LAN DMZ WAN.
>
> Sometimes default router changes unexpectedly. I inspected logs if
> someone logged in or changed route. I found nothing.
> This problem repeats at least 1 times per day. I wrote a shell script
> which monitors the default router.
> I saw that sometimes netstat -rn shows that default router is changed
> as 10.3.1.64 or 10.5.3.189 etc. which are client IP addresses but
> routing still routes to right router 212.X.Y.Z .
> After a while, routing really fails.
> I use em nics for all.
> At the weekends (when most clients are now working) i dont have any problems.
> I think some network packets affects the defaultrouter.
> I tried to block packets belongs to the IP addresses which shown as
> default router (10.3.1.64, 10.5.3.189 etc.. ). Then the problem is
> solved.
>
> I wonder how the default router can be changed with packets that came
> from network?
> How can i prevent this without writing firewall rules?
> Or which packets should I drop?
>
> Any ideas?

Özkan,

just one: Do you see RIP (521/tcp, 521/udp) traffic?

Volker